Securely Obfuscating Re-encryption

Securely Obfuscating Re-encryption

Susan Hohenberger1,2, Guy N. Rothblum3,!,abhi shelat2, and Vinod Vaikuntanathan3,!!

1 Johns Hopkins [email protected]

2 IBM Zurich Research{sus,abs}@zurich.ibm.com

3 MIT CSAIL{rothblum,vinodv}@mit.edu

Abstract. We present the first positive obfuscation result for a tradi-tional cryptographic functionality. This positive result stands in contrastto well-known negative impossibility results [BGI+01] for general obfus-cation and recent negative impossibility and improbability [GK05] resultsfor obfuscation of many cryptographic functionalities.

Whereas other positive obfuscation results in the standard model ap-ply to very simple point functions, our obfuscation result applies to thesignificantly more complicated and widely-used re-encryption functional-ity. This functionality takes a ciphertext for message m encrypted underAlice’s public key and transforms it into a ciphertext for the same mes-sage m under Bob’s public key.

To overcome impossibility results and to make our results meaningfulfor cryptographic functionalities, we use a new definition of obfuscation.This new definition incorporates more security-aware provisions.

1 Introduction

A recent line of research in theoretical cryptography aims to understand whetherit is possible to obfuscate programs so that a program’s code becomes unintelligi-ble while its functionality remains unchanged. A general method for obfuscatingprograms would lead to the solution of many open problems in cryptography.

Unfortunately, Barak, Goldreich, Impagliazzo, Rudich, Sahai, Vadhan andYang [BGI+01] show that for many notions of obfuscation, a general programobfuscator does not exist—i.e., they exhibit a class of circuits which cannotbe obfuscated. A subsequent work of Goldwasser and Kalai [GK05] shows theimpossibility and improbability of obfuscating more natural functionalities.

In spite of these negative results for general-purpose obfuscation, there are afew positive obfuscation results for simple functionalities such as point func-tions. A point function Ix returns 1 on input x and 0 on all other inputs.Canetti [Can97] shows that under a very strong Di!e-Hellman assumption point! Research supported by NSFgrant CNS-0430450 and NSF grant CFF-0635297.

!! Research supported by NSF grant CNS-0430450.

S.P. Vadhan (Ed.): TCC 2007, LNCS 4392, pp. 233–252, 2007.c! International Association for Cryptologic Research 2007

234 S. Hohenberger et al.

functions can be obfuscated. Further work of Canetti, Micciancio and Rein-gold [CMR98], Wee [Wee05] and Dodis and Smith [DS05] relaxes the assumptionsrequired for obfuscation and considers other (related) functionalities. Despitethese positive results, obfuscators for traditional cryptographic functionalities(such as those that deal with encryption) have remained elusive.

Our Results. In this work, we present the first obfuscator for a more traditionalcryptographic functionality. Namely, we show that:

Main Theorem 1 (Informal). Under reasonable bilinear complexity assump-tions, there exists an e!cient program obfuscator for a family of circuits imple-menting re-encryption.

A re-encryption program for Alice and Bob takes a ciphertext for a message mencrypted under Alice’s public key, and transforms it into a ciphertext for thesame message m under Bob’s public key. Re-encryption programs have manypractical applications such as the iTunes DRM system (albeit, with symmet-ric keys [Smi05]), secure distributed file servers [AFGH06] and secure emailforwarding.

The straightforward method to implement re-encryption is to write a programP which decrypts the input ciphertext using Alice’s secret key and then encryptsthe resulting message with Bob’s public key. When P is run by Alice, this is agood solution.

In the practical applications noted above, however, the re-encryption pro-gram is executed by a third-party. When this is the case, the straightforwardimplementation has serious security problems since P ’s code may reveal Alice’ssecret key to the third party. A better solution is to design an obfuscator for there-encryption program P . That is, we would like that:

A third party who has a re-encryption program learns no more from the re-encryption program than it does from interaction with a black-box oracle thatprovides the same functionality.

As we discuss later in §1.2, several re-encryption schemes have been proposedbefore [BS97, BBS98, DI03, AFGH06], but none of these prior works satisfythe strong obfuscation requirement informally stated above. Our main technicalcontribution is the construction of a novel re-encryption scheme which meetsthis strong notion while remaining surprisingly practical. As a side note, inour construction, ciphertexts that are re-encrypted from Alice to Bob cannotbe further re-encrypted from Bob to Carol. This may be a limitation in somescenarios, but it is nonetheless su!cient for the important practical applicationsnoted above.

Our main conceptual contribution is a definition of obfuscation that bothsidesteps impossibility results by considering randomized functionalities and ismore meaningful for cryptographic applications than previous definitions of ob-fuscation. Let us briefly explain.

Securely Obfuscating Re-encryption 235

1.1 Notion of Secure Obfuscation

The work of [BGI+01] views an obfuscator as a compiler which takes a program(i.e., boolean circuit) P and turns it into an equivalent program that satisfies thepredicate black-box property: any predicate that is computable from the obfus-cated program should also be computable from black-box access to the program(see Definition 1).

Secure Obfuscation. Unfortunately, the predicate definition [BGI+01] and sub-sequent work does not provide a meaningful security guarantee when the ob-fuscated program is used as part of a larger cryptographic system. Intuitively,while the predicate black-box property gives a quantifiable guarantee that someinformation (namely, predicates) about the program is hidden by the obfuscatedcircuit, other “non-black-box information” may still leak. Moreover, this leakedinformation might compromise the security of a cryptographic scheme whichuses the obfuscated circuit. For instance, it is completely possible that an obfus-cated program for “delegating signatures” both meets the predicate black-boxdefinition and is unforgeable under black-box access to a signature oracle, yetallows an adversary who has the obfuscated program code to forge a signature!

Since many potential applications of obfuscation use obfuscated circuits inlarger cryptographic schemes, the definition of obfuscation should guarantee thatthe security of cryptographic schemes is preserved in the following sense.

If a cryptographic scheme is “secure” when the adversary is given black-box access to a program, then it remains “secure” when the adversary isgiven the obfuscated program.

The most important feature of our new definition of obfuscation is that it pre-serves security in the above sense, and thus we refer to it as secure obfuscation.Informally, our definition requires that if there exists a non black-box adversarywith access to an obfuscated program who can break the security of a crypto-graphic scheme, then there exists a black-box simulator which breaks the schemewith similar probability using only black-box access to the program. Thus, ifthe scheme is secure against black-box adversaries, then it is also secure againstadversaries with access to obfuscated programs. The definition we give in thiswork gives the above guarantee for any cryptographic scheme with a distinguish-able attack property; any scheme where a distinguisher with public informationand black-box access to the obfuscated functionality can distinguish whetheror not an attacker has broken the scheme. Semantically secure encryption andre-encryption are examples of such schemes.

This new definition of obfuscation can play an important role in the design ofcryptographic schemes that use obfuscation. With secure obfuscation, the designof such schemes proceeds in two stages:

1. Specify the functionality of a program (or program family), and prove secu-rity of the cryptographic scheme against an adversary given black-box accessto the program.

2. Construct a secure obfuscator for the program (or program family).


The combination of these two steps guarantees security of the scheme against anadversary that has full access to the obfuscated program. Indeed, for our scheme,we show step (1) in Theorem 3 and step (2) in Theorem 4.

Average-Case Obfuscation. Our new definition only requires obfuscation for arandom circuit in a family of circuits (as in [Can97, CMR98, Had00, DS05,GK05]). This relaxed requirement remains meaningful for the many crypto-graphic applications of obfuscation in which the circuit to be obfuscated is chosenat random. Normally the random choice of a circuit corresponds to the randomselection of cryptographic keys. We call the new definition of security average-case secure obfuscation. Combining more security-aware provisions (i.e. giving adistinguisher oracle access to the functionality) with this average-case relaxationwas originally suggested by Pass [Pas06].

Obfuscating Probabilistic Circuits. It is not hard to see that deterministic func-tionalities that are not learnable cannot be obfuscated under our definition(see §2.2). In fact, security-preserving definitions considered in previous works([BGI+01, Wee05]) are only achievable for learnable deterministic functions. Animportant conceptual contribution of our definition and of this work is showingthat these impossibility results disappear when considering obfuscation of prob-abilistic circuits. Furthermore, obfuscation of probabilistic circuits is importantbecause most interesting cryptographic functionalities are probabilistic.

Other work on Obfuscation. Recently, Ostrovsky and Skeith [OS05] consider adi"erent notion of public-key obfuscation focused on keyword search. A public-key obfuscator does not maintain the functionality of a program, but ratherensures that the outputs of a public-key obfuscated program are encryptions ofthe original program’s outputs. Adida and Wikstrom [AW05] use a variationof this definition for public mixing. Both of these works di"er from our notionof obfuscation in that our notion preserves functionality and explicitly considersblack-box versus non-black-box access to a program.

1.2 The Obfuscated Re-encryption Scheme

Comparison with Prior Work. Mambo and Okamoto [MO97] noted the pop-ularity of re-encryption programs in practical applications and suggested e!-ciency improvements over the decrypt-and-encrypt approach. Blaze, Bleumer,and Strauss introduced the notion of proxy re-encryption [BS97, BBS98] inwhich the re-encryption program is executed by a third-party proxy. In theirsecurity notion, the proxy cannot read the messages of either Alice or Bob. TheBlaze et al. construction is bidirectional (i.e., a program to translate ciphertextsfrom Alice to Bob can also be used to translate from Bob to Alice) and canbe repeatedly applied (i.e., a ciphertext can be re-encrypted from Alice to Bobto Carol, etc.). Ateniese, Fu, Green, and Hohenberger [AFGH06] presented asemantic-security style definition for proxy re-encryption and designed the firstunidirectional scheme, although their scheme can only be applied once. Atenieseet al. also built a secure distributed storage system using their algorithms.


While these prior works are secure under specialized definitions, they cannotbe considered as obfuscations for re-encryption since they leak subtle non-black-box information. On the other hand, the re-encryption definitions of Ateniese etal. [AFGH06] provide some security guarantee with respect to dependent aux-iliary inputs, which we will not consider in this work. For example, they showthat even when Alice has the re-encryption program from Alice to Bob, Bob’ssemantic security still holds. (Although our definition does not require this, thescheme we present here satisfies this property.)

Overview of the Construction. We now provide intuition behind our constructionof an obfuscator for re-encryption (see §4 for the full construction). In a series ofattempts, we develop a cryptosystem and an obfuscated re-encryption programwhich translates ciphertexts under pk1 to ciphertexts under pk2. Our startingpoint is a suitable public key cryptosystem.

Recall the semantically-secure encryption scheme due to Boneh, Boyen, andShacham [BBS04] as instantiated in a group G of order q equipped with a bilinearmap. The keys in this scheme are generated by selecting a random h

r! Gand a, b

r! Zq, and setting sk = (a, b, h) and pk = (ha, hb, h). To encrypt amessage m " G, select two random values r, s

r! Zq and output the ciphertextC = [har, hbs, hr+s · m]. To decrypt a ciphertext C = [W, X, Y ], compute theplaintext Y/(W 1/a · X1/b). Let pk1 = (ga1 , gb1 , g) and pk2 = (ha2 , hb2 , h) be twopublic keys for this cryptosystem.

The basic (naive) re-encryption program from pk1 to pk2 contains (sk1, pk2).The program simply decrypts the input using sk1 and encrypts the resultingmessage with pk2. Clearly this program exposes both sk1 and the underlyingplaintext to any third-party executing the re-encryption program.

As a first attempt to obfuscate the basic program, consider the re-encryptionprogram that contains Z1 = a2/a1 and Z2 = b2/b1 and re-encrypts the ciphertext[W, X, Y ] by computing [WZ1 , XZ2 , Y ] for pk2. (On a di"erent cryptosystem, asimilar approach was suggested by Blaze et al. [BBS98].) Unfortunately, thisre-encryption program leaks non-black-box information (i.e., does not satisfythe virtual black-box property in Def. 2). For example, the program containing(Z1, Z2) which translates ciphertexts from Alice to Bob can be transformed intoa new program containing (Z"1

1 , Z"12 ) which translates ciphertexts from Bob to

Alice—a feat which black-box access does not allow.As a second attempt, consider the re-encryption program containing Z1 =

ha2/a1 and Z2 = hb2/b1 . Alice, with sk1 = (a1, b1, g), can compute this programgiven Bob’s public key pk2 = (ha2 , hb2 , h). (On a di"erent cryptosystem, a sim-ilar approach was suggested by Ateniese et al. [AFGH06].) The re-encryptionprogram works as follows: on input a ciphertext [W, X, Y ] = [ga1r, gb1s, gr+s ·m]under pk1, output the ciphertext [e(W, Z1), e(X, Z2), e(Y, h)] = [E, F, G] un-der pk2. To decrypt [E, F, G], the holder of sk2 would first compute Q =G/(E1/a2 · F 1/b2) and then find and output the message mi in the messagespace M such that e(mi, h) = Q. Of course, to ensure e!cient decryption, thislimits the size of the message space M to be a polynomial. Notice the encryp-tion scheme now support two “forms” of ciphertexts—an original form and a


re-encrypted one, each containing elements from di"erent groups. As a result, are-encrypted ciphertext cannot be further re-encrypted. The question, though,is whether or not such a program is any closer to being an obfuscation.

To be a secure obfuscation according to our Def. 2, the output of an ad-versary who is given the obfuscated program must be indistinguishable—evento a distinguisher with oracle access to the re-encryption program—from theoutput of a simulator given only black-box access to the program. Unfortu-nately, in the second attempt, knowledge of the public keys pk1 = (ga1 , gb1 , g)and pk2 = (ha2 , hb2 , h) easily allows a distinguisher to test whether a programcontaining (Z1, Z2) is a valid re-encryption program for these keys by checkingthat e(ga1 , Z1) = e(g, ha2) and e(gb1 , Z2) = e(g, hb2). We do not know how toconstruct a simulator that can output a program which also passes this test.

To bypass this problem, we design our re-encryption program to be a proba-bilistic function of the keys. More specifically, consider the program containing(ya2/a1 , yb2/b1 , y) = (Z1, Z2, Z3) for a randomly selected y " G. (In the contextof point functions, a similar approach was suggested by Canetti [Can97].) Alicecan still generate this re-encryption program using only Bob’s public key. There-encryption program becomes: on input [W, X, Y ] = [ga1r, gb1s, gr+s · m] un-der pk1, output the ciphertext under pk2 as [e(W, Z1), e(X, Z2), e(Y, Z3), Z3] =[E, F, G, H ]. Decryption works as follows: first compute Q = G/(E1/a2 · F 1/b2)and then output message mi in the message space M such that e(mi, H) = Q.

This solution has one subtle problem because all ciphertexts produced bythe obfuscated re-encryption program include H = y as the fourth component,whereas ciphertexts produced by the decrypt-and-encrypt approach contain afresh random value in that position. Thus, the obfuscated program does not“preserve the functionality” of the original one. This is easily fixed by having theobfuscated program re-randomize its output by choosing z

r! Zq and outputting[Ez, F z, Gz , Hz]. (Note, it is not su!cient that we choose y randomly, since thischoice is only made once for all re-encrypted ciphertexts, whereas z is chosenfreshly for each re-encryption.)

Even this, however, falls short, because we do not know how to prove thisconstruction is secure. In particular, since the distinguisher has access to a re-encryption oracle, it can query the oracle on the values contained in the obfus-cated program! Indeed, in the above scheme, there is a specific (complicated)property of valid obfuscated programs that a distinguisher can test for, and wedo not know how to construct a simulator that also passes this test.

In order to overcome this final hurdle, our program re-randomizes the input ci-phertext before applying the transformation above. If the public key is (ga, gb, g),and the input ciphertext is C = [W, X, Y ], our program re-randomizes C by sam-pling r#, s# and computing the ciphertext [W ·(ga)r!

, X ·(gb)s!, Y ·gr!+s!

]. Finally,we are able to show this construction meets our obfuscation definition under tworeasonable complexity assumptions.

As a final point about our complexity assumptions, because our obfuscationdefinition only requires average-case obfuscation, we do not have to make thestrong complexity assumptions necessary in the constructions of Canetti [Can97]


and Wee [Wee05]. Thus, our scheme simultaneously meets a strong theoreticaldefinition while retaining the sensibility associated with standard assumptionsand e!cient algorithms.

2 Definitions

Barak et al. [BGI+01] required that an obfuscator strip programs of non-black-box information. They formalized this by requiring that any predicate com-putable from the obfuscated program is also computable from black-box accessto it. Goldwasser and Kalai [GK05] gave a stronger definition, guaranteeingsecurity in the presence of (dependent) auxiliary input. A formal definition,which we call predicate black-box obfuscation (or predicate obfuscation, for short),follows.

For a family C of polynomial-size circuits, for a length parameter n let Cn bethe circuits in C with input length n (i.e. C = {Cn}).

Definition 1 (Predicate Obfuscation [BGI+01, GK05]). An e!cient al-gorithm Obf is a predicate obfuscator for the family C = {Cn}, if it has thefollowing properties:

– Preserving Functionality: There exists a negligible function neg(n), s.t. forall input lengths n, for any C " Cn:

Pr[#x " {0, 1}n : (Obf(C))(x) $= C(x)] % neg(n)

The probability is taken over Obf’s random coins.– Polynomial Slowdown: There exists a polynomial p(n) such that for su!-

ciently large input lengths n, for any C " Cn, the obfuscator Obf only en-larges C by a factor of p: |Obf(C)| % p(|C|).

– Predicate Virtual Black-box: For every polynomial sized adversary circuit A,there exists a polynomial size simulator circuit Sim and a negligible functionneg(n), such that for every input length n, for every C " Cn, for everypredicate !, for every auxiliary input z " {0, 1}q(n):

!!!Pr[A(Obf(C), z) = !(C, z)] & Pr[SimC(1n, z) = !(C, z)]!!! % neg(n)

The probability is over the coins of the adversary, the simulator and theobfuscator.

As discussed in §1, the predicate black-box definition does not guarantee securitywhen obfuscated circuits are used in cryptographic settings. To address this, weintroduce the new notion of average-case secure obfuscation:

Definition 2 (Average-Case Secure Obfuscation). An e!cient algorithmObf that takes as input a (probabilistic) circuit and outputs a new (probabilistic)


circuit, is an average-case secure obfuscator for the family C = {Cn}, if itsatisfies the following properties:

– Preserving Functionality: “With overwhelming probability Obf(C) behavesalmost identically to C on all inputs”. There exists a negligible functionneg(n), such that for any input length n, for any C " Cn:

Prcoins of Obf

[#x " {0, 1}n : " ((Obf(C))(x), C(x)) ' neg(n)] % neg(n)

The distributions (Obf(C))(x) and C(x) are taken over Obf(C)’s and C’srandom coins respectively. " denotes statistical (L1) distance between dis-tributions.

– Polynomial Slowdown: (identical to Definition 1)– Average-Case Secure Virtual Black-Box: For any e!cient adversary A, there

exists an e!cient simulator Sim and a negligible function neg(n), such thatfor every e!cient distinguisher D, for every input length n and for everypolynomial-size auxiliary input z:

!!!!Pr[C r! Cn : DC(A(Obf(C), z), z) = 1]& Pr[C r! Cn : DC(SimC(1n, z), z) = 1]

!!!! % neg(n)

The probability is over the selection of a random circuit C from Cn, and thecoins of the distinguisher, the simulator, the oracle and the obfuscator. Notethat entities with black-box access to C cannot set C’s random tape.

Note that without loss of generality it is su!cient to require the existenceof a simulator for the “dummy” adversary that just outputs its input. Thiswould give an equivalent definition, but it loses some intuitive appeal.

Discussion. Intuitively, Definition 2 guarantees that any attack that a non-black box adversary can mount using the obfuscated circuit, can also be mountedby a black-box simulator with (oracle) access to the functionality. This new def-inition di"ers from the predicate definition in several ways. It considers obfus-cation of a random circuit from a family, and furthermore, the circuit familiesconsidered can be probabilistic (this allows us to side-step impossibility results,see §2.2). We also follow [GK05] in requiring that the obfuscation be secure inthe presence of (independent) auxiliary input, where the auxiliary input is se-lected first, and then a random circuit is chosen from the family. Note that theaverage-case secure virtual black-box requirement of our new definition is incom-parable to the predicate black-box requirement of [BGI+01]; the latter is weakerin that it only requires that the obfuscator hides predicates, but is stronger inthat it provides the predicate distinguisher with the actual program (whereasour definition only gives our predicate distinguisher black-box access).

Finally, we emphasize that in this new definition there are two importantsources of randomness. The first source of randomness is in the circuits beingobfuscated, which are probabilistic. The second, more subtle, source of ran-domness is in the selection of a random circuit C from the family Cn. Theaverage-case secure virtual black-box requirement guarantees security when a


circuit is selected from the family by a specific distribution (i.e., the uniformdistribution—one should think of this as uniformly choosing random keys for acryptographic scheme). The predicate black-box definition, on the other hand,guarantees security for every circuit in the family, or (equivalently) for everydistribution on circuits. Other work [CMR98, DS05] guarantees security for alarge class of distributions on circuits from a family, such as every distributionwith at least super-logarithmic min-entropy. Our notion of secure obfuscationcan be generalized to give security against more general classes of distributions.For clarity, we choose to present the less general definition above.

2.1 Meaningfulness for Security

This section serves as an informal discussion of the security guarantee providedby average-case secure obfuscation. As mentioned in §1, the definition of obfus-cation should be security-preserving in the following sense: “If a cryptographicscheme is secure when the adversary is given black-box access to a program, thenit remains secure when the adversary is given the obfuscated program.” We claimthat for a large class of applications (including re-encryption), average-case se-cure obfuscation indeed gives this guarantee.

To see this, consider any cryptographic scheme, for which a distinguisher,that has only public information (e.g. public keys) and black-box access to anobfuscated program, can test whether a given adversary can break a scheme(we call this the distinguishable attack property). Many standard cryptographicschemes, such as semantically secure encryption and re-encryption, have thisproperty. For such schemes Definition 2 indeed guarantees that for every adver-sary that mounts an attack using an obfuscated circuit, there exists a black-boxsimulator that can mount an attack with a similar success probability. Thus, ifthe scheme is secure against black-box adversaries, it is also secure against nonblack-box adversaries that are given the obfuscated program.

To illustrate the meaningfulness of the notion of average-case secure obfusca-tion, we propose to use the following informal argument as a methodology forconstructing secure cryptographic schemes:If a cryptographic scheme has the following three properties:

1. The scheme is secure against black-box adversaries with oracle access tofunctionality X selected randomly from a family F

2. A distinguisher D with oracle access to X can test whether an adversary Acan break the security guarantee of the scheme (we call this property thedistinguishable attack property)

3. There exists an average-case secure obfuscator for a family CF of circuitsimplementing the functionalities in F ,

Then the cryptographic scheme is also secure against adversaries who are givenan obfuscation of a circuit selected at random from the family CF .

As a case study, consider semantically-secure re-encryption (see Def. 3). Anattacker is given two relevant public keys and black-box access to a re-encryption


oracle. The attacker is successful if it can distinguish the encryptions of two dif-ferent messages (of its choice) under one of the public keys. As with many cryp-tographic schemes, re-encryption schemes have Property (1). For Property (2),a distinguisher who is given public keys and oracle access to the re-encryptionfunctionality can indeed test whether an adversary has a noticeable chance ofmounting a successful attack.1 Thus, for any re-encryption functionality, assum-ing that Property (3) holds (i.e. there exists an average-case secure obfuscatorfor some circuit family computing re-encryption), we conclude that the scheme isalso secure against adversaries who are given an obfuscated re-encryption circuit.The predicate definition would not let us make such a conclusion.

2.2 Obfuscating Probabilistic Programs

In this section we discuss an impossibility result for average-case secure obfus-cation of deterministic circuits, and explain how we side-step this impossibilityby considering probabilistic circuits. Wee [Wee05] observes that the only deter-ministic circuits that can be obfuscated under strong security-preserving notionsof obfuscation are those that are learnable. This result also applies to obfuscat-ing deterministic circuits under Definition 2. To see the intuition behind thisresult, consider a circuit family C, the “empty” adversary who simply outputsthe obfuscated circuit Obf(C) it gets, and a distinguisher (with black-box accessto C) that outputs 1 only if whatever circuit it gets agrees with C for randominputs.2 Because Obf preserves functionality, the above adversary that outputsObf(C) will get the distinguisher to accept with all but negligible probability. Tomake the distinguisher accept with similar probability, the simulator must learn,from black-box access, a circuit that is (at the very least) very close to C onrandom inputs. Thus random circuits from C must be learnable from black-boxaccess. In particular, deterministic circuit families that are not learnable cannotbe obfuscated under Definition 2.

This impossibility disappears when we consider probabilistic circuit fami-lies. This is because the (e!cient) distinguisher with black-box access to aprobabilistic C and non black-box access to Obf(C) cannot necessarily distin-guish whether the distributions that C and Obf(C) output on a particular in-put are statistically close or far. This is similar to the case of encryption (seeGoldwasser and Micali [GM84]), where only randomness can prevent an ad-versary from recognizing whether two ciphertexts are encryptions of the samebit. Our obfuscation of re-encryption programs uses this observation. In fact,our simulator outputs a “dummy circuit” that has little to do with the cir-cuit being obfuscated, but is still indistinguishable from the true obfuscatedcircuit.

1 To do this, the distinguisher simply runs the adversary with the public keys, answer-ing the adversary’s re-encryption requests using the re-encryption oracle.

2 Wee considers di!erent distinguishers that check di!erent inputs.


3 Algebraic Setting and Assumptions

Bilinear Groups. Let BMsetup be an algorithm that, on input the security param-eter 1k, outputs the parameters for a bilinear map as (q, g, G, GT , e), where G, GT

are groups of prime order q " #(2k). The e!cient mapping e : G ( G ) GT

is both bilinear, i.e., for all g " G and a, b " Zq, e(ga, gb) = e(g, g)ab, andnon-degenerate, i.e., if g generates G, then e(g, g) $= 1.

For simplicity, we present our solution using bilinear maps of the form e :G ( G ) GT . Our scheme can also be implemented in the more general settingwhere e : G1 ( G2 ) GT and isomorphisms between G1 and G2 may not bee!ciently computable. Galbraith, Paterson, and Smart [GPS06] provide moreinformation on various implementation options.

Complexity Assumptions. In this paper, we make the following two complexityassumptions in bilinear groups. When we say two distributions are computation-ally indistinguishable, we mean with respect to a distinguisher with auxiliaryinformation (which is selected independently of the instance).

Assumption 1 (Strong Di!e Hellman Indistinguishability). Let G be agroup of order q where q is a k-bit prime, g

r! G and a, b, c, dr! Zq. Then the

following two distributions are computationally indistinguishable:"g, ga, gb, gc, gabc

#k

c*"g, ga, gb, gc, gd

#k

This assumption has not been proposed before, but it is implied by the Decision3-party Di!e-Hellman assumption proposed in [BSW06].

Assumption 2 (Decision Linear [BBS04]). Let G be a group of order qwhere q is a k-bit prime, f, g, h

r! G and a, b, cr! Zq. Then the following two

distributions are computationally indistinguishable:"f, g, h, fa, gb, ha+b

#k

c*"f, g, h, fa, gb, hc

#k

4 A Special Encryption Scheme and Re-encryptionFunctionality

In this section, we describe a special encryption scheme and a re-encryptionfunctionality for which we later present a secure obfuscation scheme.

4.1 A Special Encryption Scheme !

Our special encryption scheme $ is described in Fig.1. The encryption algorithmsupports two forms of ciphertexts and takes an additional input % " {0, 1} tochoose between them. For the first form, encryption and decryption work asper the Boneh et al. [BBS04] construction. For the second form, the encryptionand decryption are novel and relevant for re-encryption. Note that this encryp-tion system also requires the message space M to be a subset of G which isof size polynomial in k. The semantic security of this scheme will be proven inThm. 3.


Common: For a security parameter 1k, let (q, g,G, GT , e) ! BMsetup(1k) be acommon parameter and let M " G where |M | = O(poly(k)) be the messagespace.

KeyGen(1k, (q, g, G, GT , e)) :1. Randomly select a new generator h

r! G and random a, br! Zq.

2. Output pk = (ha, hb, h) and sk = (a, b, h).Enc(pk , !, m) :

1. Parse pk = (ha, hb, h).2. Choose random r, s

r! Zq.3. If ! = 0, output the ciphertext

$0, (ha)r, (hb)s, hr+s · m, 0

%.

4. If ! = 1, then choose a random tr! G, and output the ciphertext

[1, e((ha)r, t), e((hb)s, t), e(hr+s · m, t), t].Dec(sk , [s, W,X, Y,Z]) :

1. Parse sk = (a, b, h).2. If s = 0, then output Y/(W 1/a · X1/b).3. If s = 1, then

(a) Compute Q = Y/(W 1/a · X1/b).(b) For each m # M , test if e(m,Z) = Q. If so, output m and halt.

Fig. 1. Encryption Scheme "

4.2 Re-encryption Functionality

Recall that obfuscation is with respect to a class of circuits. We now define aspecial class of re-encryption circuits for the encryption scheme $ which can beeasily analyzed.

Let (pk1, sk1) and (pk2, sk2) be two keys pairs which were generated by run-ning KeyGen on independent random tapes. When given an honestly-generatedciphertext encrypted under pk1, a re-encryption circuit decrypts the ciphertextand then re-encrypts the resulting message under a second public key pk2. Fortechnical reasons, we also require the circuit to produce the pairs of public keysfor which it transforms ciphertexts.

More formally, the re-encryption circuit Fsk1,pk2, when run on input c1 =

Enc(pk1, 0, m) for any message m " M , computes m ! Dec(sk1, c1), then com-putes c2 ! Enc(pk2, 1, m), and finally outputs c2. When Fsk1,pk2

is run on inputthe special symbol keys, it outputs the ordered pair of public keys (pk1, pk2).For ciphertexts corresponding to messages in not in M , the circuit returns a ran-domized ciphertext of the second form for the same message. For other ill-formedinputs, it returns +.

Furthermore, let Csk1,pk2be the same as Fsk1,pk2

with the exception that thevalues sk1 and pk2 can be read from the circuit description. This property is easyto achieve by adding a “message” section to the circuit which does not a"ect thecircuit’s output, but encodes a message, with say, and gates encoding a 1 andor gates encoding a 0. We now define the family of circuits:

Ck ="Csk1,pk2

| (pk1, sk1) ! KeyGen(1k), (pk2, sk2) ! KeyGen(1k)#


4.3 Security for Re-encryption

We generalize the standard notion of indistinguishability [GM84] for encryptionschemes by allowing the adversary to have access to a re-encryption oracle. Inparticular, the following definition captures the notion that “given a ciphertexty and black-box access to a re-encryption circuit, an adversary does not learnany information about the plaintext corresponding to y.”

Definition 3 (IND-security with Oracle Csk1,pk2). Let $ be an encryp-

tion scheme and let the random variable INDb($, A, k) where b " {0, 1}, A =(A1, A2) and k " N denote the result of the following probabilistic experiment:

INDb($, A, k)(pk1, sk1) ! KeyGen(1k), (pk2, sk2) ! KeyGen(1k)(m0, m1, i,%, z) ! ACsk1,pk2

1 (1k)y ! Enc(pk i,%, mb)B ! ACsk1,pk2

2 (y, z)Output B

Scheme $ is indistinguishable under a chosen-plaintext attack if , p.p.t. algo-rithms A the following two ensembles are computationally indistinguishable:

&IND0($, A, k)

'

k

c*&IND1($, A, k)

'

k

Remark 1. For simplicity, we allow the adversary to pick the key pk i underwhich the challenge is encrypted and the form % of the encryption. By a standardhybrid argument, the above definition is equivalent to one in which the adversaryis given four encryptions of the challenge message—one per key and per form.

Theorem 3. The encryption scheme $ (in Fig. 1) is an indistinguishable-secure encryption scheme with respect to oracle Csk1,pk2

under the Decision Lin-ear assumption in G.

The proof sketch is given in Appendix A.

5 The Obfuscator for Re-encryption

In Fig. 2, we describe an obfuscator Obf for the class of re-encryption circuitsCk relative to the encryption scheme $ defined in the previous section.

5.1 Main Result

Theorem 4. The obfuscator in Fig. 2 is a secure obfuscator for family Ck.

Proof sketch. Let pk1 = (ga1 , gb1 , g) and pk2 = (ha2 , hb2 , h) with appropriatelydefined secret keys. Let C denote the re-encryption circuit Csk1,pk2

, and letR ! Obf(C) be an obfuscated version of C.


Algorithm Obf, on input a circuit Csk1,pk2 # Ck,1. Reads sk1 = (a1, b1, g) and pk2 = (ha2 , hb2 , h) from the description of

Csk1,pk2 .2. Selects a random integer z

r! Z!q and compute the re-encryption tuple

(Z1, Z2, Z3) = ((ha2)z/a1 , (hb2)z/b1 , hz).3. Constructs and outputs an obfuscated circuit Rsk1,pk2 that contains the

values pk1, pk2, Z1, Z2, Z3 and does the following:- On input keys, output pk1 = (ga1 , gb1 , g) and pk2 = (ha2 , hb2 , h).- On input a 5-tuple [0, W, X, Y, 0] where W, X, Y # G, then:

(a) Select input re-randomization values r, sr! Z!

q .(b) Re-randomize the input as W " ! W · (ga1)r, X " ! X · (gb1)s,

and Y " ! Y · gr+s.(c) Compute E ! e(W ", Z1).(d) Compute F ! e(X ", Z2).(e) Compute G ! e(Y ", Z3).(f) Select an output re-randomization value y

r! Z!q .

(g) Output the ciphertext [1, Ey , F y, Gy , Zy3 ].

- Otherwise return $.

Fig. 2. Obfuscator Obf for Re-encryption circuits for "

Preserving Functionality. Consider any C " Ck and let circuit R ! Obf(C). Weclaim that the output distributions of C and R are statistically close (in fact,identical). To see this, we must consider three classes of inputs. First, for anymessage m " M , observe that

Enc(pk1, 0, m) = [0, ga1r, gb1s, gr+s · m, 0]

for a randomly chosen r, sr! Z$

q . When such a ciphertext is fed as input to R,the circuit outputs

[1, e(ga1(r+r!), ha2z/a1)y, e(gb1(s+s!), hb2z/b1)y , e(gr+s+r!+s!· m, hz)y, hzy]

for randomly chosen r#, s#, yr! Z$

q . Substituting r = r+r!

" , s = s+s!

" , t = hyz, and& is such that3 g" = h, this 5-tuple can be re-written as

[1, e(ha2r, t), e(hb2r, t), e(hr+s · m, t), t]

which is identically distributed to the output of Enc(pk2, 1, m). Second, the sameholds for all m " G\M . Lastly, for keys and junk input, the outputs are identical.

Polynomial slowdown. This property follows by inspection because the obfus-cated circuit computes a few bilinear maps and exponentiations.

3 We do not need to compute # explicitly.


Virtual Blackbox. In order to satisfy the virtual black-box property, it su!cesto only consider the “dummy” adversary. Thus, we must construct a simulatorSimC(1k, z) such that for all distinguishers DC which take as input an obfuscatedcircuit R and auxiliary input z,

!!Pr[DC(Obf(C), z) = 1] & Pr[DC(SimC(1k, z), z) = 1]!! < neg(k).

Let us define the simulator SimC(1k, z) as follows:

1. Query the oracle C on keys to get pk1, pk2.2. Sample Z #

1, Z#2, Z

#3

r! G.3. As in Step (3) of the Obf algorithm, create and output a circuit R# using the

values (pk1, pk2, Z#1, Z

#2, Z

#3).

Notice that SimC produces a circuit which does not correctly compute the re-encryption function. However, we now show that under appropriate complexityassumptions, no p.p.t. distinguisher DC will notice.

Towards this goal, notice that the output of DC(Obf(C), z) is distributedidentically to Nice(DC , k, z) and the output of DC(SimC(1k, z)) is distributedidentically to Junk(DC , k, z) where

Nice(DC , k, z) Junk(DC , k, z)q, G ! BMsetup(1k) q, G ! BMsetup(1k)g, h, r

r! G g, h, rr! G

a1, a2, b1, b2r! Zq a1, a2, b1, b2

r! Zq

pk1 ! (ga1 , gb1 , g) pk1 ! (ga1 , gb1 , g)pk2 ! (ha2 , hb2 , h) pk2 ! (ha2 , hb2 , h)Z1 ! ra2/a1 ; Z2 ! rb2/b1 Z #

1, Z#2

r! Gb ! DC(pk1, pk2, Z1, Z2, r, z) b ! DC(pk1, pk2, Z

#1, Z

#2, r, z)

Output b Output b

In the above experiments, the oracle C represents the re-encryption oracle for thepublic keys pk1 to pk2 which are chosen in the experiment. There is a slight abuseof notation here; when we write expt(DC , k, z) we mean that the distinguisherD has oracle access to Csk1,pk2

for the keys sk1, pk2 chosen in the experiment.The virtual blackbox property follows immediately from the following lemma. -.Lemma 1. Under the SDHI and Decision Linear assumptions, for all p.p.t.distinguishers D and auxiliary information z, the following two distributions arestatistically close.

(Nice(DC , k, z)

)

k

and(

Junk(DC , k, z))

k

Proof Outline. We prove this lemma in a series of incremental steps. We beginwith a simple indistinguishability problem and incrementally add elements andprovide access to various oracles until the experiments are equivalent to their finalform in Lemma 1. Let us now start with a claim which relates the SDHI problem


to a simple indistinguishability problem: (In all of the following experiments, weimplicitly generate q, G ! BMsetup(1k) and each experiment is indexed by kand z although we omit this extra notation when the context is clear.)

Proposition 1. Under the SDHI assumption, Nice(1)k,z

c* Junk(1)k,z where

Nice(1): Proceeds as Nice except that the output is (ga1 , g, ha2 , h, Z1, r, z).Junk(1): Proceeds as Junk except that the output is (ga1 , g, ha2 , h, Z #

1, r, z).

If there exists a distinguisher D which distinguishes Nice(1) from Junk(1) withadvantage ', then there exists an distinguisher D# which solves the SDHI problemwith the same advantage (in roughly the same time).

Proof sketch. The algorithm D#(g, ga, gb, gc, Q, z) works as follows:

1. D# chooses a random wr! Zq.

2. D# runs D(gw, (gb)w, ga, g, Q, gc, z) and echoes the response.Consider a1 = 1/b, a2 = a and r = gc. Thus, if Q = gabc, then we have

Q = rab = ra2/a1 in which case the input to D is identically distributed toNice(1). Otherwise, Q is equal to rt for some random t and the input to D isidentically distributed to Junk(1). -.We now extend Proposition 1 to include more input values.


c* Junk(2)k,z where

Nice(2): Same as Nice except that the output is (pk1, pk2, Z1, Z2, r, z).Junk(2): Same as Junk except that the output is (pk1, pk2, Z

#1, Z

#2, r, z).

Proof sketch. Consider the hybrid distribution T (2) which is the same as Nice(2)

except that Z #2

r! G and the output is (pk1, pk2, Z1, Z #2, r, z). If Nice(2) and

Junk(2) are distinguishable with advantage ', then either Nice(2) and T (2) or T (2)

and Junk(2) are distinguishable by algorithm D with advantage '/2. Either caseimplies a distinguisher for Nice(1) from Junk(1). In the later case, this involvespicking b1, b2 " Zq to form public keys, picking Z #

2 randomly, and using the inputinstance from Nice(1) (or Junk(1)) to simulate the input distribution for D. Theformer case does the same, but swaps the role of ai and bi. -.Towards the proof of our main theorem, we now extend Prop. 2 by providingthe distinguisher with an oracle which returns a five-tuple of random valueswhich works as follows. On input [0, W, X, Y, 0], where W, X, Y " G, R selectsthree random values E, F, G

r! GT and a random value Hr! G and returns

[1, E, F, G, H ]. Otherwise, R returns +. Intuitively, oracle R outputs only ran-dom values and thus should not help any distinguisher.


s* Junk(3)k,z where

Nice(3): Same as Nice(DR, k, z).Junk(3): Same as Junk(DR, k, z).(That is, the distinguishers have oracle access to R instead of C and unlikethe (2)-experiments which output a tuple, these experiments output a bit.)


Proof sketch. The oracle R can be perfectly simulated without any auxiliaryinformation. Thus, for any DR, there exists another non-oracle distinguisherD# (which internally runs D while perfectly simulating R to D) whose outputdistribution is identical to D. Proposition 2 therefore implies that for all distin-guishers DR, Nice(2) c* Junk(2) which implies Nice(3) s* Junk(3) (since the laterexperiment outputs a bit) -.

We now return to the first experiments in which the distinguisher has oracleaccess to the re-encryption circuit C.

Proposition 4. For any p.p.t. distinguisher D, let

((k, z) = Adv*Nice(DC , k, z), Junk(DC , k, z)

+

%(k, z) = Adv*Nice(DR, k, z), Junk(DR, k, z)

+

be the advantage4 that D has in distinguishing Nice from Junk given either are-encrypting oracle C or a random oracle R respectively. There exists a p.p.t.algorithm A which decides the Decision Linear problem with probability at least12 + 1

4 (((k, z) & %(k, z)).

Proof. Without loss of generality, assume that ( > %. (If not, then we flip theway A guesses in its final step.) The algorithm A takes as input, a DecisionLinear instance ) = (h1, h2, h, hx

1 , hy2, Q) and auxiliary information z, and:

1. A samples a challenge bit cr! {0, 1} to pick whether to run Nice or Junk.

2. A samples integers a, b, ur! Zq and group elements g, Z #

1, Z#2, Z

#3

r! G.3. A sets pk1 = (ga, gb, g) and pk2 = (h1, h2, h) and computes a valid re-

encryption tuple (Z1, Z2, Z3) by Z1 ! hu/a1 , Z2 ! hu/b

2 , and Z3 ! hu.4. If c = 1, then A runs DO(pk1, pk2, Z1, Z2, Z3, z) where O is defined below.

If c = 0, then A runs DO(pk1, pk2, Z#1, Z

#2, Z

#3, z).

When D queries the oracle O on input [0, W, X, Y, 0], A responds as follows:(a) Sample input re-randomization values r, s, t

r! Zq.(b) Re-randomize the input as W # ! W ·gar, X # ! X ·gbs, and Y # ! Y ·gr+s.(c) Compute E ! e(W #, Z1) · e(g, htx

1 ).(d) Compute F ! e(X #, Z2) · e(g, hty

2 ).(e) Compute G ! e(Y #, Z3) · e(g, Qt).(f) Sample output re-randomization value &

r! Zq.(g) Respond with the ciphertext [1, E", F ", G", Z"

3].

Whenever D queries its oracle on input keys, A responds with pk1 and pk2,and on all other queries, A responds with +.

5. Eventually D outputs c# " {0, 1}. If c = c#, A outputs 1 (i.e., it guesses thatQ = hx+y). Else if c $= c#, then A outputs 0 (i.e., it guesses that Q $= hx+y).

4 By advantage, we mean the following. Suppose D0, D1 are two probability distri-butions. Then for any adversary A, the advantage in distinguishing D0 from D1 isdefined as: AdvA(D0, D1) = | Pr[x0

r! D0 : A(x0) = 1] % Pr[x1r! D1 : A(x1) = 1]|.


Note that A almost mimics the real obfuscated program. The di"erence is thatwhen computing (4c)-(4e), additional terms are multiplied in to the ciphertext.When the ) instance is a decision linear tuple, then these operations simplycontribute to additional re-randomization of the ciphertext (this does not changethe ciphertext distribution). However, if ) is not a decision linear instance, thenthese operations make E, F, G a random 3-tuple that is also independent of Z3.This proof step is essential.

Claim: If ) is a decision linear instance, then Pr[A() ) = 1] = 12 + ((k, z)/2.

Proof of Claim: When Q = hx+y, then A perfectly simulates NiceC or JunkC

towards the algorithm D. The key point is to recognize that (h1, h2, h) can beinterpreted as a randomly generated public key since h1, h2 can be rewrittenas h1 = he1 and h2 = he2 for some (unknown) e1, e2. Since the re-encryptiontuple Z1, Z2, Z3 is also a valid re-encryption tuple for pk1 ) pk2, the inputparameters to D in step 4 are identically distributed to the inputs to D in ei-ther experiment Nice or Junk. Moreover, the response to an oracle query onkeys is also identically distributed. All that remains is to show that the re-sponses A provides to oracle queries on [0, W, X, Y, 0] are also identically dis-tributed. This last point follows by inspection because Q = hx+y and Z1, Z2, Z3are a valid re-encryption tuple. A simple probability analysis completesthe result:

Pr[A() ) = 1|) " DL] =12

*Pr[Nice(DC) = 1] + Pr[Junk(DC) = 0]

+

=12

*Pr[Nice(DC) = 1] + 1 & Pr[Junk(DC) = 1]

+

=12

+Adv(Nice(DC), Junk(DC))

2

=12

+(

2

Claim: If ) is not a decision linear instance, then Pr[A() ) = 1] = 12 +%(k, z)/2.

Proof of Claim: This proof is almost identical to the previous one. The onlydi"erence is we must show that responses to the oracle queries return fourrandomly selected group elements. Let us denote by *,+, ,, v the values suchthat W = g#, X = g$, Y = g% and Q = hv, and by e1, e2 the values suchthat h1 = he1 and h2 = he2 . Observe that the elements returned by theoracle are

E = [e(W · gar, hu/a1 ) · e(g, htx

1 )]" = e(g, h)"e1[#u/a+tx]+rz"e1

F = [e(X · gbs, hu/b2 ) · e(g, hty

2 )]" = e(g, h)"e2[$u/b+ty]+sz"e2

G = [e(Y · gr+s, hu) · e(g, Qt)]" = e(g, h)"[(%+r+s)u]+tv"

H = hu"

Since r, s, t, & are fresh independently selected values, then E, F, G, H will alsobe independent on every invocation of the oracle.


Proof of Lemma 1. By the decision linear assumption and Prop. 4, it followsthat |((k, z) & %(k, z)| is negligible. By Prop. 3, %(k, z) must be a negligiblefunction, and therefore, so too must ((k, z). This establishes the lemma.

Acknowledgments

We would like to thank Ran Canetti for suggesting the problem and the TCC2007 anonymous reviewers for their helpful comments.

References

[AFGH06] Giuseppe Ateniese, Kevin Fu, Matthew Green, and Susan Hohenberger.Improved Proxy Re-encryption Schemes with Applications to Secure Dis-tributed Storage. ACM Trans. on Information and System Security,9(1):1–30, February 2006. Previously, in NDSS, pages 29-43, 2005.

[AW05] Ben Adida and Douglas Wikstrom. How to shu"e in public. CryptologyePrint Archive, Report 2005/394, 2005. http://eprint.iacr.org/.

[BBS98] Matt Blaze, Gerrit Bleumer, and Martin Strauss. Divertible protocols andatomic proxy cryptography. In EUROCRYPT ’98, volume 1403 of LNCS,pages 127–144, 1998.

[BBS04] Dan Boneh, Xavier Boyen, and Hovav Shacham. Short Group SignaturesUsing Strong Di#e Hellman. In CRYPTO, volume 3152, pages 41–55,2004.

[BGI+01] Boaz Barak, Oded Goldreich, Russell Impagliazzo, Steven Rudich, AmitSahai, Salil P. Vadhan, and Ke Yang. On the (im)possibility of obfuscatingprograms. In CRYPTO ’01, volume 2139 of LNCS, pages 1–18, 2001.

[BS97] Matt Blaze and Martin Strauss. Atomic proxy cryptography. Technicalreport, AT&T Research, 1997.

[BSW06] Dan Boneh, Amit Sahai, and Brent Waters. Fully collusion resistant traitortracing with short ciphertexts and private keys. In EUROCRYPT ’06,volume 4004 of LNCS, pages 573–592, 2006.

[Can97] Ran Canetti. Towards realizing random oracles: Hash functions that hideall partial information. In CRYPTO, volume 1294, pages 455–469, 1997.

[CMR98] Ran Canetti, Daniele Micciancio, and Omer Reingold. Perfectly one-wayprobabilistic hash functions (preliminary version). In STOC, pages 131–140, 1998.

[DI03] Yevgeniy Dodis and Anca Ivan. Proxy cryptography revisited. In NDSS,2003.

[DS05] Yevgeniy Dodis and Adam Smith. Correcting errors without leaking partialinformation. In STOC ’05, pages 654–663, 2005.

[GK05] Shafi Goldwasser and Yael Tauman Kalai. On the impossibility of obfus-cation with auxiliary input. In FOCS ’05, pages 553–562, 2005.

[GM84] Shafi Goldwasser and Silvio Micali. Probabilistic encryption. Journal ofComputer and System Sciences, 28(2):270–299, 1984. Previously, in STOC,pages 365-377, 1982.

[GPS06] Steven D. Galbraith, Kenneth G. Paterson, and Nigel P. Smart. Pairingsfor cryptographers, 2006. Cryptology ePrint Archive: Report 2006/165.

[Had00] Satoshi Hada. Zero-knowledge and code obfuscation. In ASIACRYPT ’00,volume 1976 of LNCS, pages 443–457, 2000.

http://eprint.iacr.org/


[MO97] Masahiro Mambo and Eiji Okamoto. Proxy Cryptosystems: Delegationof the Power to Decrypt Ciphertexts. IEICE Trans. Fund. ElectronicsCommunications and Computer Science, E80-A/1:54–63, 1997.

[OS05] Rafail Ostrovsky and William E. Skeith III. Private searching on streamingdata. In CRYPTO, volume 3621 of LNCS, pages 223–240, 2005.

[Pas06] Rafael Pass, 2006. Personal Communication.[Smi05] Tony Smith. DVD Jon: buy DRM-less Tracks from Apple iTunes, March 18,

2005. http://www.theregister.co.uk/2005/03/18/itunes pymusique.[Wee05] Hoeteck Wee. On obfuscating point functions. In STOC, pages 523–532,

2005.

A Proof of Security for Encryption Scheme

Proof sketch.[of Thm. 3] Let us first argue that $ is an encryption scheme, i.e.,it is perfectly complete. When % = 0, this follows from the BBS scheme. For thesecond form of ciphertexts, on input [1, E, F, G, H ], the decryption algorithmfirst computes Q = G

E1/a2 ·F 1/b2, which by inspection is equal to e(m, H). The

decryption algorithm loops over each (of the polynomially many) mi " M andtests whether e(mi, H) = Q and therefore eventually recovers m as required.

To argue that the scheme meets the security definition, suppose adversaryA = (A1, A2) and distinguisher D has advantage ' in distinguishing IND0(· · · )from IND1(· · · ). Then, we construct an adversary A# that decides the DecisionLinear problem with advantage '/4 as follows. Let ) = (h1, h2, h, hx

1 , hy2 , Q) be

a DL instance; A# works as follows:

1. Sample a, b, cr! Zq.

2. Set pk1 = (h1, h2, h) and pk2 = (hac1 , hbc

2 , hc).3. Run AO

1 (1k) to produce a tuple (m0, m1, i,%, z).When A queries [s, W, X, Y, Z] to its oracle, respond as follows:(a) Return + if s $= 0 or Z $= 0, or if W, X, Y $" G, etc.(b) Sample r " G and use the valid re-encryption program Z1 ! ra, Z2 ! rb

and Z3 ! r to compute a response.4. Sample a bit t

r! {0, 1}.5. Set y to be the ciphertext [0, hx

1 , hy2 , Q·mt, 0] if i = 0 and [0, (hx

1)ac, (hy2)bc, Qc·

mt, 0] if i = 1. Furthermore, if % = 1, transform y into a second-form cipher-text (this can be done with public information).

6. Run B ! AO2 (y, z)

7. Run t# ! D(B) and output 1 if t# = t (guess that ) is a DLA instance) andotherwise output 0.

We argue that when ) is a DL instance, A# perfectly simulates the experimentINDt. When ) is not an instance, then the encryption y is independent of themessage mt and so the probability that t# = t is exactly 1/2. The proof of thetheorem follows by standard probability manipulation of these two facts. -.

http://www.theregister.co.uk/2005/03/18/itunes_pymusique

Documents

Securely Obfuscating Re-encryption